tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: svn commit: r908917 - in /tomcat/site/trunk: docs/security-6.html xdocs/security-6.xml
Date Thu, 11 Feb 2010 11:23:30 GMT
2010/2/11  <markt@apache.org>:
> Author: markt
> Date: Thu Feb 11 10:37:24 2010
> New Revision: 908917
>
> URL: http://svn.apache.org/viewvc?rev=908917&view=rev
> Log:
> Add a note on where to find the "not a vulnerability section"
> Add the missing severity and svn reference for CVE-2009-3555
> Remove the reference to CVE-2009-3555 from the fixed in 6.0.24 section to keep it consistent
with the other non-Tomcat vulnerabilities
>
> Modified:
>    tomcat/site/trunk/docs/security-6.html
>    tomcat/site/trunk/xdocs/security-6.xml
>

> -   <p><strong>Medium: SSL MITN</strong>
> -      <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555">
> -       CVE-2009-3555</a></p>
> -
> -    <p>See Not a vulnerability in Tomcat below</p>
> -
> -    <p>This was worked-around in
> -       <a href="http://svn.apache.org/viewvc?rev=891292&amp;view=rev">
> -       revision 891292</a> and
> -       <a href="http://svn.apache.org/viewvc?rev=881774&amp;view=rev">
> -       revision 881774</a>.</p>
> -
> -    <p>Affects: 6.0.0-6.0.20</p>
> -
> -
>   </section>
>


> +    <p>This was worked-around in
> +       <a href="http://svn.apache.org/viewvc?rev=891292&amp;view=rev">
> +       revision 881774</a>.</p>
> +

1. rev.881774 mentioned in the text, but the link points to rev.891292.

Actually the fix is a combination of both those revisions. (E.g.
allowUnsafeLegacyRenegotiation field introduced in the first one is
still used in the second).

2. With this change now there is no information about what TC release
includes the workaround. It requires some experience to derive that
from revision numbers. Though everyone can look in the changelog.

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message